Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

White smoke virus and broswer redirect malware


  • This topic is locked This topic is locked
15 replies to this topic

#1 sailorchrono

sailorchrono

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 09 December 2010 - 05:42 PM

Hello. I'm here today because a few days ago I noticed that the program "White Smoke Translator" just mysteriously installed itself on my system, along with shortcuts on my desktop. Then it seemed my computer immediately slowed down to a crawl. I restarted my computer and went into safe mode and was able to remove White Smoke Translator using add/remove programs. Then I scanned with Malware Malbyte's which seemed to pick up a lot of remnants of the White Smoke program. I reran it again and it seemed my computer was clean (Malbyte's didn't find anything else), so I went back to regular mode. My computer seemed okay until I went on the browser and now I keep getting random pop ups and redirected to sites like the yellow pages or other random search engines every now and then (even when I tried to go on the bleeping computer website!). Things also take a lot longer to open (Firefox, Microsoft Word, etc).

Here is the DDS log I just ran:


DDS (Ver_10-12-05.01) - NTFSx86
Run by Mochi at 14:58:05.43 on Wed 12/08/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.46 [GMT -8:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\ANIWConnService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\DOCUME~1\Mochi\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mochi\My Documents\Defogger.exe
C:\Documents and Settings\Mochi\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Wireless 150 USB Adapter DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mochi\applic~1\mozilla\firefox\profiles\6fhmyz1i.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\mochi\applic~1\mozilla\firefox\profiles\6fhmyz1i.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Personas: [email protected] - c:\docume~1\mochi\applic~1\mozilla\firefox\profiles\6fhmyz1i.default\extensions\[email protected]

============= SERVICES / DRIVERS ===============

R? EAPPkt;Realtek EAPPkt Protocol
R? JMCR;JMCR
R? PulseUsb;Livescribe Pulse Smartpen USB Driver
R? RTL8187B;Airlink101 802.11g USB 2.0 Adapter
R? UCharger;Usb Charger Driver
S? ANIWConnService;ANIWConn Service
S? AntiVirSchedulerService;Avira AntiVir Scheduler
S? AntiVirService;Avira AntiVir Guard
S? avgio;avgio
S? avgntflt;avgntflt
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
S? Lavasoft Kernexplorer;Lavasoft helper driver
S? Lbd;Lbd
S? LBeepKE;LBeepKE
S? M3000Srv;Acer Crystal Eye webcam Driver
S? PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service
S? PenCommService;Livescribe Pulse Smartpen Service
S? pnetmdm;PdaNet Modem
S? rt2870;D-Link 802.11n USB Wireless LAN Card Driver
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? WinDefend;Windows Defender

=============== Created Last 30 ================

2010-12-08 04:32:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-08 04:32:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-08 00:22:30 -------- d-sha-r- C:\cmdcons
2010-12-08 00:19:50 98816 ----a-w- c:\windows\sed.exe
2010-12-08 00:19:50 89088 ----a-w- c:\windows\MBR.exe
2010-12-08 00:19:50 256512 ----a-w- c:\windows\PEV.exe
2010-12-08 00:19:50 161792 ----a-w- c:\windows\SWREG.exe
2010-12-07 12:51:03 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-07 11:33:00 -------- d-----w- c:\docume~1\mochi\applic~1\Malwarebytes
2010-12-07 11:32:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-07 11:31:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-07 11:31:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 11:31:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-07 09:32:34 0 ----a-w- c:\windows\Ysiqihojiseciy.bin
2010-12-07 09:30:09 -------- d-----w- c:\docume~1\mochi\applic~1\F12BFE50FC555096BF1833F891FC95F2
2010-12-06 06:43:21 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{af4b7777-3e0f-4739-886c-f6cbae94c574}\mpengine.dll

==================== Find3M ====================

2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-23 07:46:08 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-16 18:26:02 37336 ----a-w- c:\windows\system32\CleanMFT32.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS543216L9A300 rev.FB2OC40C -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F2E555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f347b0]; MOV EAX, [0x86f3482c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F55030]
3 CLASSPNP[0xF78A7FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000009a[0x86FC2238]
5 ACPI[0xF779E620] -> nt!IofCallDriver[0x804E13B9] -> [0x86F65D98]
\Driver\atapi[0x86F5DAE8] -> IRP_MJ_CREATE -> 0x86F2E555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS543216L9A300_________________FB2OC40C#383031313430424632323030434c594531334157#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F2E39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 15:02:36.46 ===============

Oh, I forgot to mention that I've already ran defogger before doing DDS and GMER as instructed in the preparation guide. Also, I'm on an Acer Aspire Netbook, if that matters. Thanks in advance for any help! :)

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 09 December 2010 - 06:01 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 PM

Posted 16 December 2010 - 02:55 PM

Hi
please do the following:

Download ComboFix from either of these locations:
Link 1
Link 2


VERY IMPORTANT !!!
Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#3 sailorchrono

sailorchrono
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 16 December 2010 - 09:21 PM

Hello, I just ran combofix as stated and while it was running, it said it needed to restart to remove some rootkit. I let it restart and then combofix was running again. A minute later, a notification from Avira popped up (I had disabled it prior to running Combofix the first time, but since the computer restarted, I think Avira reenabled it self) and said it found a trojan (TR/obfuscated.29996c). I ignored the warning at first, but combofix seemed to stop working, so finally I selected ignore on the Avira screen and Combofix started working again.

I walked away for a hour to let Combofix do its thing. When I came back, the computer was off. I turned it back on and now I just see a registration screen for Whitesmoke. I can't even access the desktop or ANYTHING. I'm posting from another computer. I have no access to the C:/ drive to be able to post the log from combofix.

Oh also, since I made my first post, a number of other viruses have showed up, like System Tools 2011. Sometimes I can barely run my computer because so many trojan alerts pop up from Avira.

Edited by sailorchrono, 16 December 2010 - 09:22 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 PM

Posted 16 December 2010 - 09:35 PM

Hi

Please do the following:

try booting into safe mode

reboot and tap F8 repeatedly on start up until an advanced option menu appears

arrow up to safe mode with networking


now do the following:

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.


http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.scr



Note:

You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

At this point, you should now be able to run other tools.

Once the tool has run, do NOT reboot the machine, and then try to run your malwarebytes program


Follow up with another run of ComboFix,

post both logs

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#5 sailorchrono

sailorchrono
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 17 December 2010 - 12:26 AM

Hi. I restarted the computer in safe mode like you said. White smoke's registration window didn't immediately pop up like in regular mode. Instead, Combofix was still running! I let it finish running and was able to access the log, which I've attached. I then ran R-Kill, which seem to find nothing. In addition, I've also run Malwarebytes' Anti-Malware. It found over 800 infected files which I've removed. I've also attached the log for that. I'd like to note that I ran Malwarebytes yesterday (before you replied to my post) and it also found around the same 800 infected files yesterday as well. It seems Whitesmoke (which are the majority if not all of the infected files) keeps reinstalling itself. I keep uninstalling it through add/remove programs, and when I restart the computer, I see the icons back on the desktop.

Something else to note, while opening firefox to reply to this message, websites kept opening in new tabs without me doing anything. They are to random websites and search engines (so it's more than just redirect because I didn't open the tab in the first place)

I haven't run combofix a second time yet because I am able to access desktop with no problems in safe mode. Should I run combofix again? Also, after I ran Malwarebytes, it wants me to restart the computer to remove all the infected files. What should I do?

Thank you so much for all your help!

Attached Files


Edited by sailorchrono, 17 December 2010 - 12:31 AM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 PM

Posted 17 December 2010 - 04:43 AM

Hi

Please do the following:

Reboot back into safe mode with networking if you need to



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)




NEXT



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic366005.html/page__view__findpost__p__2059584

KillAll::

Collect::
c:\windows\Temp\~nsu.tmp\whitesmoke-silent.exe
c:\windows\Temp\~nsu.tmp\WhiteSmokeTranslator_rev1.exe
c:\windows\Temp\~nsu.tmp\wsget.exe
c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe
c:\Documents and Settings\Mochi\Application Data\mssend2\svcnost.exe
c:\windows\system32\drivers\ijlfsxj.sys

Folder::
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
c:\program files\whitesmoketoolbar
c:\program files\WhiteSmoke Translator
c:\documents and settings\All Users\Application Data\lMgEo06101
c:\documents and settings\Mochi\Application Data\mssend2
c:\documents and settings\Mochi\Application Data\jqqmvavuizbjn2qzdtlzinq1ilpqcj22
c:\windows\system32\%APPDATA%
c:\documents and settings\Mochi\Application Data\F12BFE50FC555096BF1833F891FC95F2

File::
c:\windows\Ysiqihojiseciy.bin
c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch Whitesmoke Translator.lnk

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52794457-af6c-4c50-9def-f2e24f4c8889}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{52794457-af6c-4c50-9def-f2e24f4c8889}"=-
[-HKEY_CLASSES_ROOT\clsid\{52794457-af6c-4c50-9def-f2e24f4c8889}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Mochi\\Application Data\\mssend2\\svcnost.exe"=-

Driver::
uitg

DDS::
uInternet Connection Wizard,ShellNext = hxxp://www.whitesmoke.com/client/uninstalltrans.php?serial=&version=1.00.1032

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT




Reboot into normal mode and re-run MBAM, see if it is still detecting those entries
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#7 sailorchrono

sailorchrono
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 17 December 2010 - 08:18 AM

Hi, I ran TDSSKiller and it found a rootkit which I cured and rebooted.

Then, I ran combofix using the notepad file as stated in your instructions. However, it seems I used an outdated version of Combofix and it asked me whether or not I'd like to update. I clicked yes and it downloaded a new version of itself and restarted combofix. I'm not sure whether or not the special settings from the notepad still went through?

After combofix finished, I ran MBAM. While MBAM was scanning, Avira kept detecting TR/obfuscated.29996c. So I know for sure that is still in the system, even though MBAM finished scanning and hasn't detected anything.

Also, as I was looking through my C:/ to attach the TDSSKiller log, I noticed folders that I've never seen before with very strange names: 7566a3e4842e54327a8f47b2a524 and b25938d8a7dfdcab760837. There are other folders with such names and they have random files in them... one of them even has a file called "Hotfixinstaller.exe" which I believe is a virus? Should I delete these folders? Is there any special way I should dispose of them?


Combofix log:

ComboFix 10-12-16.04 - Mochi 12/17/2010 4:23.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.342 [GMT -8:00]
Running from: c:\documents and settings\Mochi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mochi\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FILE ::
"c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch Whitesmoke Translator.lnk"
"c:\windows\Ysiqihojiseciy.bin"

file zipped: c:\documents and settings\Mochi\Application Data\mssend2\svcnost.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\desktop.ini
c:\documents and settings\All Users\Application Data\lMgEo06101
c:\documents and settings\All Users\Application Data\lMgEo06101\lMgEo06101
c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch Whitesmoke Translator.lnk
c:\documents and settings\Mochi\Application Data\desktop.ini
c:\documents and settings\Mochi\Application Data\F12BFE50FC555096BF1833F891FC95F2
c:\documents and settings\Mochi\Application Data\jqqmvavuizbjn2qzdtlzinq1ilpqcj22
c:\documents and settings\Mochi\Application Data\mssend2
c:\documents and settings\Mochi\Application Data\mssend2\svcnost.exe
c:\windows\system32\%APPDATA%
c:\windows\Ysiqihojiseciy.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_uitg


((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 )))))))))))))))))))))))))))))))
.

2010-12-10 00:02 . 2010-12-10 08:27 29996 ---h--w- c:\documents and settings\Mochi\Application Data\ntuser.dat
2010-12-08 22:48 . 2010-12-08 23:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-08 04:32 . 2010-12-08 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-08 04:32 . 2010-12-08 04:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-07 12:18 . 2010-12-07 12:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-12-07 11:38 . 2010-12-07 11:38 -------- d-----w- c:\documents and settings\Administrator
2010-12-07 11:33 . 2010-12-07 11:33 -------- d-----w- c:\documents and settings\Mochi\Application Data\Malwarebytes
2010-12-07 11:32 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-07 11:31 . 2010-12-07 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-07 11:31 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 11:31 . 2010-12-07 11:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-06 06:43 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{AF4B7777-3E0F-4739-886C-F6CBAE94C574}\mpengine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-10 04:33 . 2009-01-07 05:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-11-04 14:41 . 2010-10-21 01:55 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-19 18:41 . 2009-10-03 02:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-23 07:46 . 2010-10-21 04:23 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-23 07:46 . 2010-10-21 01:56 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-18 19:23 . 2008-04-15 03:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDTray"="c:\program files\Livescribe\Livescribe Desktop\LDTray.exe" [2010-02-18 647168]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"M3000Mnt"="M3000Rmv.dll " [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-04 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless 150 USB Adapter DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2009-04-22 1683456]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Mochi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PdaNet Desktop.lnk - c:\program files\PdaNet for Windows Mobile\PdaNetPC.exe [2008-12-31 222424]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-11-1 576104]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-2 809488]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2009-6-12 1073152]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-11 525664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-08 00:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/20/2010 5:56 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [8/15/2009 10:10 PM 147456]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/29/2009 7:24 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/22/2010 11:46 PM 1375992]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/2/2009 7:27 PM 10384]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [10/19/2010 5:55 PM 632792]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [2/18/2010 1:23 PM 265728]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 8:01 AM 151936]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [12/31/2008 4:56 PM 9472]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys --> c:\windows\system32\DRIVERS\EAPPkt.sys [?]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [12/31/2008 2:34 PM 96856]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/22/2010 11:46 PM 15264]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [3/7/2010 7:13 PM 20096]
S3 RTL8187B;Airlink101 802.11g USB 2.0 Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S3 UCharger;Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [9/16/2009 2:43 PM 13765]
.
Contents of the 'Scheduled Tasks' folder

2010-12-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 21:59]

2010-07-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2010-11-29 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-10-20 18:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Mochi\Application Data\Mozilla\Firefox\Profiles\6fhmyz1i.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-17 04:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
LDTray = c:\program files\Livescribe\Livescribe Desktop\LDTray.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2528)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\docume~1\Mochi\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Logitech\SetPoint\LU\LULnchr.exe
c:\program files\Logitech\SetPoint\LU\LogitechUpdate.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-12-17 04:39:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-17 12:38
ComboFix2.txt 2010-12-17 04:59
ComboFix3.txt 2010-12-08 00:56

Pre-Run: 71,333,240,832 bytes free
Post-Run: 71,343,013,888 bytes free

- - End Of File - - CF29E4EC7E4472A09DB2E0EC5112A5C8

TDSSKiller log:
2010/12/17 04:06:35.0187 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/17 04:06:35.0187 ================================================================================
2010/12/17 04:06:35.0187 SystemInfo:
2010/12/17 04:06:35.0187
2010/12/17 04:06:35.0187 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/17 04:06:35.0187 Product type: Workstation
2010/12/17 04:06:35.0187 ComputerName: DOMOOOOOOO
2010/12/17 04:06:35.0187 UserName: Mochi
2010/12/17 04:06:35.0187 Windows directory: C:\WINDOWS
2010/12/17 04:06:35.0187 System windows directory: C:\WINDOWS
2010/12/17 04:06:35.0187 Processor architecture: Intel x86
2010/12/17 04:06:35.0187 Number of processors: 2
2010/12/17 04:06:35.0187 Page size: 0x1000
2010/12/17 04:06:35.0187 Boot type: Normal boot
2010/12/17 04:06:35.0187 ================================================================================
2010/12/17 04:06:36.0640 Initialize success
2010/12/17 04:06:41.0109 ================================================================================
2010/12/17 04:06:41.0109 Scan started
2010/12/17 04:06:41.0109 Mode: Manual;
2010/12/17 04:06:41.0109 ================================================================================
2010/12/17 04:06:44.0218 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/12/17 04:06:44.0437 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/17 04:06:44.0500 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/12/17 04:06:44.0703 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/17 04:06:45.0031 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/17 04:06:45.0156 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/12/17 04:06:45.0343 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/17 04:06:45.0437 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/17 04:06:45.0500 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/12/17 04:06:45.0734 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/12/17 04:06:45.0796 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/17 04:06:45.0890 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/17 04:06:46.0125 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/12/17 04:06:46.0218 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/12/17 04:06:46.0328 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/12/17 04:06:46.0546 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/12/17 04:06:46.0625 ANIO (2953a157a783bfc06f42f99fefa5eb07) C:\WINDOWS\system32\ANIO.SYS
2010/12/17 04:06:46.0859 AR5416 (7cae93fe5511d0c0688cfa56cf241e31) C:\WINDOWS\system32\DRIVERS\athw.sys
2010/12/17 04:06:47.0140 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/12/17 04:06:47.0218 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/12/17 04:06:47.0281 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/12/17 04:06:47.0531 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/17 04:06:47.0640 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/17 04:06:47.0734 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/17 04:06:47.0984 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/17 04:06:48.0203 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/12/17 04:06:48.0546 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/12/17 04:06:48.0656 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/12/17 04:06:48.0921 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/17 04:06:49.0093 btaudio (142986d4da016d4de0d93b51d1ddfbde) C:\WINDOWS\system32\drivers\btaudio.sys
2010/12/17 04:06:49.0343 BTDriver (58a49bd10e08d3d4333a60dedcb1ced8) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/12/17 04:06:49.0781 BTKRNL (6d23a08a656e1c230d697d1a0d63c491) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/12/17 04:06:50.0281 BTWDNDIS (80f61de965c116051614ac2f04222ff7) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/12/17 04:06:50.0375 btwhid (e48668b4a6a5cf68b33aecad18ee8e1e) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2010/12/17 04:06:50.0640 BTWUSB (ad7f4b81a3f8d330dd8382b7cf4df341) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/12/17 04:06:50.0781 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/12/17 04:06:51.0046 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/17 04:06:51.0140 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/17 04:06:51.0375 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/12/17 04:06:51.0453 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/17 04:06:51.0531 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/17 04:06:51.0781 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/17 04:06:52.0156 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/12/17 04:06:52.0281 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/12/17 04:06:52.0546 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/12/17 04:06:52.0703 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/12/17 04:06:53.0046 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/12/17 04:06:53.0343 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/12/17 04:06:53.0468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/17 04:06:53.0718 DKbFltr (08d30af92c270f2e76787c81589dbad6) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2010/12/17 04:06:53.0921 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/17 04:06:54.0218 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/17 04:06:54.0546 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/17 04:06:54.0734 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/17 04:06:54.0968 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/17 04:06:55.0140 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/17 04:06:55.0437 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/17 04:06:55.0593 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/17 04:06:55.0828 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/17 04:06:56.0046 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/17 04:06:56.0390 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/12/17 04:06:56.0625 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/17 04:06:56.0875 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/17 04:06:57.0218 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/12/17 04:06:57.0296 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/17 04:06:57.0406 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2010/12/17 04:06:57.0671 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/17 04:06:57.0812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/17 04:06:57.0921 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/12/17 04:06:58.0234 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/17 04:06:58.0593 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/17 04:06:58.0687 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/12/17 04:06:58.0968 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/17 04:06:59.0484 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/12/17 04:07:00.0187 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/17 04:07:00.0343 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/12/17 04:07:00.0468 int15.sys (4d8d5b1c895ea0f2a721b98a7ce198f1) C:\Acer\Empowering Technology\eRecovery\int15.sys
2010/12/17 04:07:00.0906 IntcAzAudAddService (19afbb8427ce65042599555e578170df) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/12/17 04:07:01.0437 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/17 04:07:01.0593 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/17 04:07:01.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/12/17 04:07:01.0937 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/17 04:07:02.0250 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/17 04:07:02.0531 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/17 04:07:02.0906 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/17 04:07:03.0046 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/17 04:07:03.0328 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/17 04:07:03.0437 JMCR (da971cfc625d13636e04c405948e9d62) C:\WINDOWS\system32\DRIVERS\jmcr.sys
2010/12/17 04:07:03.0671 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/17 04:07:03.0750 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/17 04:07:03.0906 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/17 04:07:04.0171 Lavasoft Kernexplorer (0bd6d3f477df86420de942a741dabe37) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/12/17 04:07:04.0937 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/12/17 04:07:05.0609 LBeepKE (8f4d784b3f22f468eea99da02b0e39e5) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2010/12/17 04:07:06.0468 LHidFilt (dd83dc92463fce6324fd30a13d17d0da) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2010/12/17 04:07:07.0000 LMouFilt (8fe0008e183ff0293a925b78a5581c5f) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2010/12/17 04:07:07.0796 M3000Srv (29ed05c1dafd2e830dfe48de212dd34f) C:\WINDOWS\system32\Drivers\M3000KNT.sys
2010/12/17 04:07:08.0343 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/17 04:07:08.0875 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/17 04:07:09.0500 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/17 04:07:10.0093 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/17 04:07:10.0843 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/17 04:07:11.0484 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/12/17 04:07:12.0125 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/17 04:07:12.0968 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/17 04:07:13.0656 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/17 04:07:14.0140 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/17 04:07:14.0484 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/17 04:07:14.0718 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/17 04:07:14.0890 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/17 04:07:15.0125 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/17 04:07:15.0359 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/17 04:07:15.0859 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/17 04:07:16.0765 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/17 04:07:17.0281 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/17 04:07:17.0718 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/17 04:07:18.0109 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/17 04:07:18.0656 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/17 04:07:18.0937 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/17 04:07:19.0265 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/17 04:07:19.0531 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/17 04:07:20.0468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/17 04:07:20.0859 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/17 04:07:21.0640 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/17 04:07:21.0734 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/17 04:07:22.0000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/17 04:07:22.0250 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/12/17 04:07:22.0500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/17 04:07:22.0937 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/17 04:07:23.0468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/17 04:07:24.0406 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/17 04:07:24.0531 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/17 04:07:25.0187 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/12/17 04:07:25.0718 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/12/17 04:07:26.0171 pnetmdm (da19e3401f39c10df193be029c7e7bba) C:\WINDOWS\system32\DRIVERS\pnetmdm.sys
2010/12/17 04:07:26.0578 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/17 04:07:26.0687 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/17 04:07:26.0953 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/17 04:07:27.0281 PulseUsb (071ae03df7d37fbbf9766703265ad871) C:\WINDOWS\system32\DRIVERS\PulseUsb.sys
2010/12/17 04:07:27.0671 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/17 04:07:28.0078 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/12/17 04:07:28.0546 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/12/17 04:07:28.0656 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/12/17 04:07:28.0921 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/12/17 04:07:29.0093 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/12/17 04:07:30.0015 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/17 04:07:30.0281 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/17 04:07:30.0593 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/17 04:07:31.0109 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/17 04:07:31.0718 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/17 04:07:32.0171 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/17 04:07:32.0453 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/17 04:07:32.0828 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/17 04:07:33.0265 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/17 04:07:33.0765 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/12/17 04:07:34.0140 RT25USBAP (9c377dbf9d2d19098db935dc1e8361a3) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
2010/12/17 04:07:34.0437 rt2870 (a6886caf9d03dade7144171e471eca6f) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2010/12/17 04:07:34.0828 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/12/17 04:07:35.0062 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/17 04:07:35.0218 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/17 04:07:35.0593 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/17 04:07:35.0734 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/17 04:07:35.0984 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/17 04:07:36.0234 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/12/17 04:07:36.0484 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/12/17 04:07:36.0625 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/12/17 04:07:37.0015 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/12/17 04:07:37.0265 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/17 04:07:37.0406 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/17 04:07:37.0703 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/17 04:07:37.0843 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/12/17 04:07:38.0671 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/12/17 04:07:38.0953 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/17 04:07:39.0109 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/17 04:07:39.0515 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/17 04:07:39.0890 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/17 04:07:40.0250 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/17 04:07:40.0359 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/17 04:07:40.0640 SynTP (409f7eeb079d6154ccb26a02e6e27844) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/12/17 04:07:40.0906 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/17 04:07:41.0109 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/17 04:07:41.0500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/17 04:07:42.0031 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/17 04:07:42.0578 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/17 04:07:43.0203 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/12/17 04:07:43.0343 UCharger (e0529f7b6e1ace01ebb58e5642582c92) C:\WINDOWS\system32\Drivers\UCharger.sys
2010/12/17 04:07:43.0671 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/17 04:07:44.0093 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/12/17 04:07:44.0343 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/17 04:07:44.0703 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/17 04:07:45.0390 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/12/17 04:07:45.0484 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/17 04:07:45.0781 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/17 04:07:45.0890 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/17 04:07:46.0203 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/17 04:07:46.0437 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/17 04:07:46.0750 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/17 04:07:46.0984 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/17 04:07:47.0375 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2010/12/17 04:07:47.0625 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/17 04:07:47.0812 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/12/17 04:07:48.0156 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/17 04:07:48.0500 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/17 04:07:48.0921 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/17 04:07:49.0593 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/12/17 04:07:49.0937 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/17 04:07:50.0250 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/17 04:07:50.0500 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/12/17 04:07:50.0921 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/17 04:07:51.0281 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/17 04:07:51.0718 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/17 04:07:51.0734 ================================================================================
2010/12/17 04:07:51.0734 Scan finished
2010/12/17 04:07:51.0734 ================================================================================
2010/12/17 04:07:51.0781 Detected object count: 1
2010/12/17 04:08:06.0000 \HardDisk0 - will be cured after reboot
2010/12/17 04:08:06.0000 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/17 04:08:22.0484 Deinitialize success

Attached Files


Edited by sailorchrono, 17 December 2010 - 08:20 AM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 PM

Posted 17 December 2010 - 11:40 AM

Hi

those random numbered folders on your C:\ drive are windows updates, the hotfixinstaller.exe is not a virus, it belongs to windows updates (the virus of a similar name is located in a different path)

Avira is likely detecting the quarantined items, can you post the location of where it is finding those detections


Please run the following:

Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#9 sailorchrono

sailorchrono
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 17 December 2010 - 09:26 PM

The location of the the TR/obfuscated.29996c Avira keeps detecting is found at : 'C:\Documents and Settings\Mochi\Application Data\ntuser.dat.

I've ran ESET and here are the results:
C:\Documents and Settings\Mochi\My Documents\external hdd\Monkey Island 1 and 2.rar INF/Autorun.gen trojan
C:\Qoobox\Quarantine\[4]-Submit_2010-12-17_04.23.23.zip a variant of Win32/Kryptik.ITY trojan
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP386\A0093552.dll a variant of Win32/Cimag.EX trojan
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP386\A0103976.exe a variant of Win32/Kryptik.ITY trojan
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP386\A0103977.exe a variant of Win32/Kryptik.ITY trojan
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP386\A0103978.exe a variant of Win32/Kryptik.IWC trojan
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP386\A0103979.exe a variant of Win32/Kryptik.ITY trojan
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP386\A0103980.exe a variant of Win32/Kryptik.ITY trojan
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP386\A0103981.dll a variant of Win32/Wimpixo.AA trojan
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP386\A0107066.dll a variant of Win32/AutoRun.Spy.Ambler.CG worm

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 PM

Posted 18 December 2010 - 01:24 PM

Hi

Please do the following:


submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\Documents and Settings\Mochi\Application Data\ntuser.dat
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


NEXT



Navigate to and remove this file

C:\Documents and Settings\Mochi\My Documents\external hdd\Monkey Island 1 and 2.rar




The remaining items are in quarantine or old restore points


NEXT

Please post a fresh DDS Log and Attach.txt and advise how your computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#11 sailorchrono

sailorchrono
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 18 December 2010 - 01:56 PM

Hi, I've done the virustotal and here is the link: http://www.virustotal.com/file-scan/report.html?id=ef5ea35c0492ad53cea5a616ad19985be8ef9aa666206afb80459c12bc5c1828-1292697532

I have deleted Monkey Island.

Also, about the old files in quarantine and such... are they okay to be left as is? Is it possible they start up trouble later?

I've rerun DDS and will post the log and attach the Attach txt... I don't know how to zip though :(

My computer seems to be running much better :) I don't think I've gotten anymore redirects and I don't see anymore random pages opening. Thank you SO much!!!!!^_^ The speed seems to be like before the virus hit as well.

Anyways: DDS log
---


DDS (Ver_10-12-05.01) - NTFSx86
Run by Mochi at 10:45:31.95 on Sat 12/18/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.276 [GMT -8:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\ANIWConnService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
C:\DOCUME~1\Mochi\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mochi\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Wireless 150 USB Adapter DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mochi\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\mochi\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for windows mobile\PdaNetPC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mochi\applic~1\mozilla\firefox\profiles\6fhmyz1i.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\mochi\applic~1\mozilla\firefox\profiles\6fhmyz1i.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Personas: [email protected] - c:\docume~1\mochi\applic~1\mozilla\firefox\profiles\6fhmyz1i.default\extensions\[email protected]

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-20 64288]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-29 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [2009-8-15 147456]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-29 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-29 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-29 56816]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-2 10384]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-10-19 632792]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2010-2-18 265728]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 151936]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2008-12-31 9472]
R3 rt2870;D-Link 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-8-15 715520]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\eappkt.sys --> c:\windows\system32\drivers\EAPPkt.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-22 1375992]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-12-31 96856]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2010-3-7 20096]
S3 RTL8187B;Airlink101 802.11g USB 2.0 Adapter;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]
S3 UCharger;Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [2009-9-16 13765]

=============== Created Last 30 ================

2010-12-17 22:43:33 -------- d-----w- c:\program files\ESET
2010-12-17 12:53:30 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{9ce9d0a4-d272-4983-a260-67178e0f2ff0}\mpengine.dll
2010-12-10 00:02:01 29996 ---h--w- c:\docume~1\mochi\applic~1\ntuser.dat
2010-12-08 04:32:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-08 04:32:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-08 00:22:30 -------- d-sha-r- C:\cmdcons
2010-12-08 00:19:50 98816 ----a-w- c:\windows\sed.exe
2010-12-08 00:19:50 89088 ----a-w- c:\windows\MBR.exe
2010-12-08 00:19:50 256512 ----a-w- c:\windows\PEV.exe
2010-12-08 00:19:50 161792 ----a-w- c:\windows\SWREG.exe
2010-12-07 11:33:00 -------- d-----w- c:\docume~1\mochi\applic~1\Malwarebytes
2010-12-07 11:32:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-07 11:31:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-07 11:31:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 11:31:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\SET3E37.tmp
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-23 07:46:08 15880 ----a-w- c:\windows\system32\lsdelete.exe

============= FINISH: 10:51:38.95 ===============

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 PM

Posted 18 December 2010 - 03:09 PM

Hi,

those files are fine in quarantine, I'll be clearing them up shortly, just a couple more things to do:

Please do the following:

Note: Make sure you have an active internet connection, and allow combofix to upload the file requested

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic366005.html

Collect::
C:\Documents and Settings\Mochi\Application Data\ntuser.dat

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 23 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 23 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u23 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#13 sailorchrono

sailorchrono
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 18 December 2010 - 03:56 PM

Okay, I ran Combofix with the notepad as stated. The log will be posted below.

I've also updated Adobe and Java. I had no idea they were so out of date!

Combofix log:

ComboFix 10-12-18.01 - Mochi 12/18/2010 12:20:53.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.317 [GMT -8:00]
Running from: c:\documents and settings\Mochi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mochi\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

file zipped: c:\documents and settings\Mochi\Application Data\ntuser.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mochi\Application Data\ntuser.dat
c:\program files\Internet Explorer\SET3DB0.tmp
c:\windows\system32\_000006_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-17 22:50 . 2010-12-17 22:50 -------- d-----w- c:\windows\LastGood
2010-12-17 22:43 . 2010-12-17 22:43 -------- d-----w- c:\program files\ESET
2010-12-17 12:53 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{9CE9D0A4-D272-4983-A260-67178E0F2FF0}\mpengine.dll
2010-12-08 22:48 . 2010-12-08 23:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-08 04:32 . 2010-12-08 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-08 04:32 . 2010-12-08 04:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-07 12:18 . 2010-12-07 12:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-12-07 11:38 . 2010-12-07 11:38 -------- d-----w- c:\documents and settings\Administrator
2010-12-07 11:33 . 2010-12-07 11:33 -------- d-----w- c:\documents and settings\Mochi\Application Data\Malwarebytes
2010-12-07 11:32 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-07 11:31 . 2010-12-07 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-07 11:31 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 11:31 . 2010-12-07 11:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2008-04-15 03:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-10 04:33 . 2009-01-07 05:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-11-06 00:34 . 2010-11-06 00:34 832512 ----a-w- c:\windows\system32\SET3D91.tmp
2010-11-06 00:34 . 2010-11-06 00:34 478208 ----a-w- c:\windows\system32\SET3D99.tmp
2010-11-06 00:34 . 2010-11-06 00:34 44544 ----a-w- c:\windows\system32\SET3D95.tmp
2010-11-06 00:34 . 2010-11-06 00:34 233472 ----a-w- c:\windows\system32\SET3D92.tmp
2010-11-06 00:34 . 2010-11-06 00:34 1168384 ----a-w- c:\windows\system32\SET3D93.tmp
2010-11-06 00:34 . 2010-11-06 00:34 105984 ----a-w- c:\windows\system32\SET3D94.tmp
2010-11-06 00:34 . 2010-11-06 00:34 63488 ----a-w- c:\windows\system32\SET3DAB.tmp
2010-11-06 00:34 . 2010-11-06 00:34 6075904 ----a-w- c:\windows\system32\SET3DA4.tmp
2010-11-06 00:34 . 2010-11-06 00:34 52224 ----a-w- c:\windows\system32\SET3D9B.tmp
2010-11-06 00:34 . 2010-11-06 00:34 468480 ----a-w- c:\windows\system32\SET3D9C.tmp
2010-11-06 00:34 . 2010-11-06 00:34 380928 ----a-w- c:\windows\system32\SET3DA6.tmp
2010-11-06 00:34 . 2010-11-06 00:34 3604480 ----a-w- c:\windows\system32\SET3D9A.tmp
2010-11-06 00:34 . 2010-11-06 00:34 347136 ----a-w- c:\windows\system32\SET3DAD.tmp
2010-11-06 00:34 . 2010-11-06 00:34 27648 ----a-w- c:\windows\system32\SET3D9D.tmp
2010-11-06 00:34 . 2010-11-06 00:34 268288 ----a-w- c:\windows\system32\SET3DA0.tmp
2010-11-06 00:34 . 2010-11-06 00:34 214528 ----a-w- c:\windows\system32\SET3DAC.tmp
2010-11-06 00:34 . 2010-11-06 00:34 192512 ----a-w- c:\windows\system32\SET3DA2.tmp
2010-11-06 00:34 . 2010-11-06 00:34 17408 ----a-w- c:\windows\system32\SET3DAE.tmp
2010-11-06 00:34 . 2010-11-06 00:34 124928 ----a-w- c:\windows\system32\SET3DAF.tmp
2010-11-06 00:34 . 2008-04-15 03:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2007-08-14 01:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-04 14:41 . 2010-10-21 01:55 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-03 12:25 . 2008-04-15 03:00 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-15 03:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2010-10-28 13:13 290048 ----a-w- c:\windows\system32\SET3E37.tmp
2010-10-26 13:25 . 2008-04-15 03:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 18:41 . 2009-10-03 02:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-23 07:46 . 2010-10-21 04:23 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-23 07:46 . 2010-10-21 01:56 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-12-08_00.46.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-17 12:31 . 2010-12-17 12:31 16384 c:\windows\temp\Perflib_Perfdata_568.dat
+ 2008-03-27 10:40 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
- 2008-03-27 10:40 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
- 2010-05-11 09:16 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
+ 2010-05-11 09:16 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2008-08-15 19:59 . 2010-12-17 12:36 72134 c:\windows\system32\perfc009.dat
- 2008-08-15 19:59 . 2010-12-08 00:33 72134 c:\windows\system32\perfc009.dat
+ 2007-08-14 01:39 . 2010-11-03 12:24 13824 c:\windows\system32\ieudinit.exe
- 2007-08-14 01:39 . 2010-09-08 15:57 13824 c:\windows\system32\ieudinit.exe
- 2007-08-14 01:39 . 2010-09-09 13:38 44544 c:\windows\system32\iernonce.dll
+ 2007-08-14 01:39 . 2010-11-06 00:34 44544 c:\windows\system32\iernonce.dll
- 2007-08-14 01:39 . 2010-09-08 15:57 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-14 01:39 . 2010-11-03 12:24 70656 c:\windows\system32\ie4uinit.exe
+ 2008-04-15 03:00 . 2010-10-11 14:59 45568 c:\windows\system32\dllcache\wab.exe
+ 2007-08-14 01:36 . 2010-11-06 00:34 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-08-14 01:36 . 2010-09-09 13:38 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-04-15 03:00 . 2010-11-02 15:17 40960 c:\windows\system32\dllcache\ndproxy.sys
- 2009-01-01 00:43 . 2010-09-09 13:38 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-01-01 00:43 . 2010-11-06 00:34 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-15 03:00 . 2010-11-18 18:12 81920 c:\windows\system32\dllcache\isign32.dll
- 2008-04-15 03:00 . 2008-04-15 03:00 81920 c:\windows\system32\dllcache\isign32.dll
+ 2009-01-01 00:43 . 2010-11-03 12:24 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2009-01-01 00:43 . 2010-09-08 15:57 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-08-14 01:39 . 2010-11-06 00:34 44544 c:\windows\system32\dllcache\iernonce.dll
- 2007-08-14 01:39 . 2010-09-09 13:38 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2008-04-15 03:00 . 2010-11-06 00:34 78336 c:\windows\system32\dllcache\ieencode.dll
- 2008-04-15 03:00 . 2010-09-09 13:38 78336 c:\windows\system32\dllcache\ieencode.dll
- 2007-08-14 01:39 . 2010-09-08 15:57 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-14 01:39 . 2010-11-03 12:24 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-01-01 00:43 . 2010-11-06 00:34 63488 c:\windows\system32\dllcache\icardie.dll
- 2009-01-01 00:43 . 2010-09-09 13:38 63488 c:\windows\system32\dllcache\icardie.dll
- 2008-04-15 03:00 . 2010-09-09 13:38 17408 c:\windows\system32\dllcache\corpol.dll
+ 2008-04-15 03:00 . 2010-11-06 00:34 17408 c:\windows\system32\dllcache\corpol.dll
+ 2009-11-29 10:02 . 2010-12-18 17:56 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-11-29 10:02 . 2010-11-11 03:10 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-11-29 10:02 . 2010-12-18 17:56 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-11-29 10:02 . 2010-11-11 03:10 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-11-29 10:02 . 2010-11-11 03:10 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-11-29 10:02 . 2010-12-18 17:56 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-12-18 17:55 . 2010-09-09 13:38 44544 c:\windows\ie7updates\KB2416400-IE7\pngfilt.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 52224 c:\windows\ie7updates\KB2416400-IE7\msfeedsbs.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 27648 c:\windows\ie7updates\KB2416400-IE7\jsproxy.dll
+ 2010-12-18 17:55 . 2010-09-08 15:57 13824 c:\windows\ie7updates\KB2416400-IE7\ieudinit.exe
+ 2010-12-18 17:55 . 2010-09-09 13:38 44544 c:\windows\ie7updates\KB2416400-IE7\iernonce.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 78336 c:\windows\ie7updates\KB2416400-IE7\ieencode.dll
+ 2010-12-18 17:55 . 2010-09-08 15:57 70656 c:\windows\ie7updates\KB2416400-IE7\ie4uinit.exe
+ 2010-12-18 17:55 . 2010-09-09 13:38 63488 c:\windows\ie7updates\KB2416400-IE7\icardie.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 17408 c:\windows\ie7updates\KB2416400-IE7\corpol.dll
- 2008-08-15 19:59 . 2010-12-08 00:33 443034 c:\windows\system32\perfh009.dat
+ 2008-08-15 19:59 . 2010-12-17 12:36 443034 c:\windows\system32\perfh009.dat
+ 2007-08-14 01:44 . 2010-11-06 00:34 102912 c:\windows\system32\occache.dll
- 2007-08-14 01:44 . 2010-09-09 13:38 102912 c:\windows\system32\occache.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 671232 c:\windows\system32\mstime.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 671232 c:\windows\system32\mstime.dll
- 2007-08-14 01:44 . 2010-09-09 13:38 193024 c:\windows\system32\msrating.dll
+ 2007-08-14 01:44 . 2010-11-06 00:34 193024 c:\windows\system32\msrating.dll
- 2007-08-14 01:39 . 2010-09-09 13:38 384512 c:\windows\system32\iedkcs32.dll
+ 2007-08-14 01:39 . 2010-11-06 00:34 384512 c:\windows\system32\iedkcs32.dll
+ 2007-08-14 00:56 . 2010-10-18 11:06 161792 c:\windows\system32\ieakui.dll
- 2007-08-14 00:56 . 2010-08-25 11:29 161792 c:\windows\system32\ieakui.dll
+ 2007-08-14 01:39 . 2010-11-06 00:34 230400 c:\windows\system32\ieaksie.dll
- 2007-08-14 01:39 . 2010-09-09 13:38 230400 c:\windows\system32\ieaksie.dll
- 2007-08-14 01:39 . 2010-09-09 13:38 153088 c:\windows\system32\ieakeng.dll
+ 2007-08-14 01:39 . 2010-11-06 00:34 153088 c:\windows\system32\ieakeng.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 133120 c:\windows\system32\extmgr.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 133120 c:\windows\system32\extmgr.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 832512 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 832512 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 233472 c:\windows\system32\dllcache\webcheck.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 233472 c:\windows\system32\dllcache\webcheck.dll
- 2007-08-14 01:44 . 2010-09-09 13:38 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-14 01:44 . 2010-11-06 00:34 105984 c:\windows\system32\dllcache\url.dll
- 2007-08-14 01:44 . 2010-09-09 13:38 102912 c:\windows\system32\dllcache\occache.dll
+ 2007-08-14 01:44 . 2010-11-06 00:34 102912 c:\windows\system32\dllcache\occache.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 671232 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 671232 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-14 01:44 . 2010-11-06 00:34 193024 c:\windows\system32\dllcache\msrating.dll
- 2007-08-14 01:44 . 2010-09-09 13:38 193024 c:\windows\system32\dllcache\msrating.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 478208 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 478208 c:\windows\system32\dllcache\mshtmled.dll
- 2009-01-01 00:43 . 2010-09-09 13:38 468480 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-01-01 00:43 . 2010-11-06 00:34 468480 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-08-14 01:43 . 2010-10-18 11:07 634648 c:\windows\system32\dllcache\iexplore.exe
- 2007-08-14 01:43 . 2010-08-25 11:30 634648 c:\windows\system32\dllcache\iexplore.exe
+ 2009-01-01 00:43 . 2010-11-06 00:34 268288 c:\windows\system32\dllcache\iertutil.dll
- 2009-01-01 00:43 . 2010-09-09 13:38 268288 c:\windows\system32\dllcache\iertutil.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-14 01:39 . 2010-11-06 00:34 384512 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-14 01:39 . 2010-09-09 13:38 384512 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-01-01 00:43 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2009-01-01 00:43 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-08-14 00:56 . 2010-08-25 11:29 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2007-08-14 00:56 . 2010-10-18 11:06 161792 c:\windows\system32\dllcache\ieakui.dll
- 2007-08-14 01:39 . 2010-09-09 13:38 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2007-08-14 01:39 . 2010-11-06 00:34 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2007-08-14 01:39 . 2010-11-06 00:34 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2007-08-14 01:39 . 2010-09-09 13:38 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2007-08-14 01:35 . 2010-11-06 00:34 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2007-08-14 01:35 . 2010-09-09 13:38 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2007-08-14 01:35 . 2010-11-06 00:34 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2007-08-14 01:35 . 2010-09-09 13:38 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-04-15 03:00 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
- 2007-08-14 01:39 . 2010-09-09 13:38 124928 c:\windows\system32\dllcache\advpack.dll
+ 2007-08-14 01:39 . 2010-11-06 00:34 124928 c:\windows\system32\dllcache\advpack.dll
+ 2010-07-23 09:03 . 2010-07-23 09:03 338432 c:\windows\Installer\65034c6.msp
+ 2009-11-29 10:02 . 2010-12-18 17:56 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-11-29 10:02 . 2010-11-11 03:10 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-11-29 10:02 . 2010-11-11 03:10 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-11-29 10:02 . 2010-12-18 17:56 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2009-11-29 10:02 . 2010-11-11 03:10 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2009-11-29 10:02 . 2010-12-18 17:56 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2009-11-29 10:02 . 2010-11-11 03:10 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-11-29 10:02 . 2010-12-18 17:56 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-11-04 12:13 . 2008-11-04 12:13 118128 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6425\MSCONV97.DLL
+ 2010-12-18 17:55 . 2010-09-09 13:38 832512 c:\windows\ie7updates\KB2416400-IE7\wininet.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 233472 c:\windows\ie7updates\KB2416400-IE7\webcheck.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 105984 c:\windows\ie7updates\KB2416400-IE7\url.dll
+ 2010-12-18 17:55 . 2010-02-22 14:23 382840 c:\windows\ie7updates\KB2416400-IE7\spuninst\updspapi.dll
+ 2010-12-18 17:55 . 2010-02-22 14:23 231288 c:\windows\ie7updates\KB2416400-IE7\spuninst\spuninst.exe
+ 2010-12-18 17:55 . 2010-09-09 13:38 102912 c:\windows\ie7updates\KB2416400-IE7\occache.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 671232 c:\windows\ie7updates\KB2416400-IE7\mstime.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 193024 c:\windows\ie7updates\KB2416400-IE7\msrating.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 478208 c:\windows\ie7updates\KB2416400-IE7\mshtmled.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 468480 c:\windows\ie7updates\KB2416400-IE7\msfeeds.dll
+ 2010-12-18 17:55 . 2010-08-25 11:30 634648 c:\windows\ie7updates\KB2416400-IE7\iexplore.exe
+ 2010-12-18 17:55 . 2010-09-09 13:38 268288 c:\windows\ie7updates\KB2416400-IE7\iertutil.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 192512 c:\windows\ie7updates\KB2416400-IE7\iepeers.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 384512 c:\windows\ie7updates\KB2416400-IE7\iedkcs32.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 380928 c:\windows\ie7updates\KB2416400-IE7\ieapfltr.dll
+ 2010-12-18 17:55 . 2010-08-25 11:29 161792 c:\windows\ie7updates\KB2416400-IE7\ieakui.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 230400 c:\windows\ie7updates\KB2416400-IE7\ieaksie.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 153088 c:\windows\ie7updates\KB2416400-IE7\ieakeng.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 133120 c:\windows\ie7updates\KB2416400-IE7\extmgr.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 214528 c:\windows\ie7updates\KB2416400-IE7\dxtrans.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 347136 c:\windows\ie7updates\KB2416400-IE7\dxtmsft.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 124928 c:\windows\ie7updates\KB2416400-IE7\advpack.dll
+ 2008-04-15 03:00 . 2010-10-26 13:25 1853312 c:\windows\system32\dllcache\win32k.sys
+ 2007-08-14 01:54 . 2010-11-06 00:34 1168384 c:\windows\system32\dllcache\urlmon.dll
- 2007-08-14 01:54 . 2010-09-09 13:38 1168384 c:\windows\system32\dllcache\urlmon.dll
+ 2007-08-14 01:54 . 2010-11-06 00:34 3604480 c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-01 00:43 . 2010-11-06 00:34 6075904 c:\windows\system32\dllcache\ieframe.dll
- 2009-01-01 00:43 . 2010-09-09 13:38 6075904 c:\windows\system32\dllcache\ieframe.dll
+ 2009-11-29 10:02 . 2010-12-18 17:56 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-11-29 10:02 . 2010-11-11 03:10 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-12-18 17:55 . 2010-09-09 13:38 1168384 c:\windows\ie7updates\KB2416400-IE7\urlmon.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 3601920 c:\windows\ie7updates\KB2416400-IE7\mshtml.dll
+ 2010-12-18 17:55 . 2010-09-09 13:38 6075904 c:\windows\ie7updates\KB2416400-IE7\ieframe.dll
+ 2009-01-01 10:20 . 2010-12-18 17:50 37366216 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDTray"="c:\program files\Livescribe\Livescribe Desktop\LDTray.exe" [2010-02-18 647168]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"M3000Mnt"="M3000Rmv.dll " [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-04 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless 150 USB Adapter DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2009-04-22 1683456]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Mochi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PdaNet Desktop.lnk - c:\program files\PdaNet for Windows Mobile\PdaNetPC.exe [2008-12-31 222424]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-11-1 576104]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-2 809488]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2009-6-12 1073152]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-11 525664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-08 00:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/20/2010 5:56 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [8/15/2009 10:10 PM 147456]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/29/2009 7:24 PM 108289]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/2/2009 7:27 PM 10384]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [10/19/2010 5:55 PM 632792]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [2/18/2010 1:23 PM 265728]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 8:01 AM 151936]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [12/31/2008 4:56 PM 9472]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys --> c:\windows\system32\DRIVERS\EAPPkt.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/22/2010 11:46 PM 1375992]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [12/31/2008 2:34 PM 96856]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [3/7/2010 7:13 PM 20096]
S3 RTL8187B;Airlink101 802.11g USB 2.0 Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S3 UCharger;Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [9/16/2009 2:43 PM 13765]

--- Other Services/Drivers In Memory ---

*Deregistered* - Lavasoft Kernexplorer
.
Contents of the 'Scheduled Tasks' folder

2010-12-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 21:59]

2010-07-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2010-12-18 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-10-20 18:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Mochi\Application Data\Mozilla\Firefox\Profiles\6fhmyz1i.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-18 12:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
LDTray = c:\program files\Livescribe\Livescribe Desktop\LDTray.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\TEMP\TMP000001368008937FF0CD641E 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-12-18 12:29:13
ComboFix-quarantined-files.txt 2010-12-18 20:29
ComboFix2.txt 2010-12-17 12:39
ComboFix3.txt 2010-12-17 04:59
ComboFix4.txt 2010-12-08 00:56

Pre-Run: 71,612,686,336 bytes free
Post-Run: 71,596,867,584 bytes free

- - End Of File - - BFC07914961D9F62102F5682FCE99614

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 PM

Posted 18 December 2010 - 04:02 PM

Please upload the file manually:

Please open this link HERE in a new window.

In the box marked Link to topic where this file was requested: please paste in the following text
http://www.bleepingcomputer.com/forums/topic366005.html/page__view__findpost__p__2061639

Click the Browse button and navigate to C:\Qoobox\Quarantine

There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip ( the * denotes Date and Time stamp - yours will be close to this: 12/18/2010 12:20:53)
Select this file and click Open
In the Largest box please put
File Requested By CatByte
Failed Collect::

Finally click SendFile

Please return here and let me know when that file has been uploaded.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#15 sailorchrono

sailorchrono
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 18 December 2010 - 04:06 PM

The file has been uploaded!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users